The CCPA, CPRA, and California's Evolving Data Protection Landscape

The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020, and it has fundamentally changed how businesses collect, use, and protect the personal information of California residents. Just over nine months after the CCPA took effect, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amends the CCPA and strengthens California's data privacy framework even further. Most CPRA provisions came into force on January 1, 2023, with enforcement commencing on July 1, 2023. On March 29, 2023, the California Consumer Privacy Act Regulations came into force as a complementary layer to the CPRA.

For businesses navigating this layered regulatory environment, clarity matters. This article provides a comprehensive overview of the CCPA as amended by the CPRA, with a focus on the data these laws protect, how de-identification fits into the compliance picture, and what the broader legislative evolution means for organizations operating at scale.

Who Does the CCPA Apply To?

The CCPA, as amended by the CPRA, applies to any for-profit business that collects, processes, sells, or shares the personal information of California residents and meets at least one of the following thresholds: the business has annual gross revenues over $25 million; it buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more California consumers or households annually; or it derives 50 percent or more of its annual revenue from selling or sharing California consumers' personal information.

Two aspects of this scope deserve particular attention. First, the CCPA and CPRA carry extraterritorial reach: businesses headquartered outside of California are fully subject to these laws if they meet the thresholds above. Second, the revenue thresholds are calculated based on overall business revenue, not just revenue generated in California or from personal information sales specifically. A large enterprise that incidentally touches California consumer data could find itself squarely within scope.

This broad applicability means that industries handling large volumes of personal data — including healthcare organizations, financial services firms, insurers, and technology companies — need to treat CCPA and CPRA compliance as a baseline operational requirement, not a California-specific edge case.

What Personal Information Is Protected Under the CCPA?

Section 1798.140.(v)(1) of the CCPA, as amended by the CPRA, defines personal information broadly across ten categories. Understanding what falls within scope is the foundation of any compliance program.

Identifiers cover names, aliases, postal addresses, unique personal identifiers, online identifiers, IP addresses, email addresses, account names, social security numbers, driver's license numbers, passport numbers, and similar data points.

Personal information in the traditional sense includes physical characteristics or descriptions such as height, weight, and gender, as well as education information like school enrollment and degree history, and employment details including work history, salary, and benefits.

Commercial information encompasses records of products or services purchased, obtained, or considered, as well as purchasing or consuming histories and tendencies.

Biometric information covers data derived from unique biological characteristics: facial recognition data, iris or retina scans, fingerprints, voiceprints, and comparable information.

Internet or other electronic network activity captures browsing history, search history, and records of a consumer's interaction with a website, application, or advertisement.

Geolocation data includes both precise and general location information about a consumer.

Audio, electronic, visual, thermal, olfactory, or similar information covers audio and video recordings and other types of sensory data collected in connection with business operations.

Professional or employment-related information extends to employment history, professional licenses, and certifications.

Education information captures student records, transcripts, and similar documentation.

Inferences drawn from other personal information include any data used to build a profile about a consumer, including preferences, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities, and aptitudes.

What Counts as Sensitive Personal Information Under the CPRA?

Beyond the standard categories above, the CPRA introduces a distinct and expanded category of sensitive personal information. This includes what most privacy practitioners would expect, such as social security numbers and religious beliefs, but it also captures content of text and email messages, which marks a notable expansion of protections compared to the original CCPA.

Practically speaking, the distinction between personal and sensitive information does not dramatically alter a business's disclosure obligations: both require the same disclosure provisions, and businesses must provide opt-out options for the sale and sharing of both categories. Where sensitive personal information differs is that consumers carry an additional right to restrict specific usage and disclosure of that information. For businesses, this translates into a concrete compliance obligation: a "Do Not Sell My Personal Information" button and a "Limit the Use of My Sensitive Personal Information" button must appear on their website.

What Is De-identification Under the CCPA?

One of the most practically significant elements of the CCPA framework is its treatment of de-identified data. The CCPA explicitly excludes de-identified information from the definition of personal information, meaning that properly de-identified data falls outside the law's scope entirely. This creates a meaningful compliance pathway for organizations that work extensively with personal data.

Under the CCPA, "deidentified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer. But meeting the definitional standard alone is not sufficient for exemption. The business that de-identifies the data must also implement three specific safeguards.

First, the business must take reasonable measures to ensure the information cannot be associated with a consumer or household. Second, it must publicly commit to maintaining and using the information only in de-identified form, and not attempt to re-identify it (except for the limited purpose of testing the integrity of the de-identification process itself). Third, the business must contractually obligate any recipients of the de-identified data to comply with all of the above.

How Does CCPA De-identification Compare to GDPR Anonymization?

The CCPA's de-identification standard is meaningfully less stringent than the anonymization standard under the EU's General Data Protection Regulation (GDPR). Under the GDPR, anonymization requires that data no longer relate to an identified or identifiable natural person, or that personal data has been rendered anonymous in such a manner that the data subject is not or no longer identifiable at all. The GDPR standard is more absolute: it does not suffice that data merely cannot "reasonably" be used to identify an individual.

That said, the practical methods used to achieve de-identification under either regime are largely the same. Both require the removal of direct and indirect identifiers and an evaluation of re-identification risk. The difference lies in the threshold that must be met, and in the additional operational obligations the CCPA places on businesses that choose to de-identify.

For organizations that operate under both regimes — a common situation for multinational companies in pharma and life sciences, financial services, or healthcare — meeting the GDPR standard typically satisfies both, since it is the more demanding of the two.

How Limina Supports CCPA and GDPR De-identification

Limina's data de-identification platform is built by linguists, which means it is designed to understand language the way it is actually used in documents rather than relying on simple pattern matching. This matters in practice because personal information rarely appears in clean, structured fields. It appears embedded in clinical notes, call transcripts, legal documents, financial records, and customer communications, often alongside related entities that provide critical context for accurate detection.

Limina detects over 50 entity types across more than 52 languages with greater than 99.5% accuracy, processing up to 70,000 words per second. The vast majority of the entity categories that fall under the CCPA's definition of personal information — identifiers, biometric data, geolocation, employment-related information, education information, and more — are covered by Limina's supported entity detection capabilities across unstructured data and numerous file formats.

If your organization is working to bring its data practices into alignment with CCPA and CPRA requirements, contact Limina's team to learn how automated, linguist-built de-identification can accelerate your compliance program.

What Rights Do California Consumers Have?

Consumer rights sit at the heart of both the CCPA and CPRA, and understanding what these rights require of businesses is essential for compliance planning.

California residents have the right to know what personal information businesses collect about them, the categories of third parties with whom that information is shared, and the purposes for which it is used. They also have the right to request that businesses correct inaccurate personal information or delete personal information altogether. In both cases, businesses must provide a mechanism for submitting these requests and must respond within specified timeframes.

Businesses subject to the CCPA are required to maintain a privacy policy that outlines collected categories, usage purposes, and third-party sharing practices. The CPRA builds on this by expanding consumers' right to know specifically about automated decision-making and profiling based on their data, reflecting growing concern about algorithmic inference as a privacy risk in its own right.

The opt-out right covers both the sale and the sharing of personal information, with the CPRA extending the original CCPA's focus on "selling" data to also capture "sharing" for cross-context behavioral advertising purposes.

What Has Changed Since the CPRA Came Into Force?

A New Enforcement Agency with Expanded Powers

Perhaps the most consequential structural change introduced by the CPRA is the creation of the California Privacy Protection Agency (CPPA), a dedicated enforcement body with significant independent authority. The CPPA can investigate potential violations, issue subpoenas, hold public hearings, and impose fines and penalties for violations of the CCPA and CPRA. This represents a meaningful upgrade from enforcement under the original CCPA, which was handled exclusively by the California Attorney General's office.

The existence of a dedicated agency signals that California intends to treat privacy enforcement as an ongoing, proactive function rather than a reactive response to egregious violations.

Have Consumers Actually Used Their Rights?

The data on consumer opt-out behavior since the CCPA came into force is instructive, if perhaps counterintuitive. According to IAB survey data from November 2020, only 1-5 percent of consumers actually exercised their opt-out rights in the first year of CCPA enforcement. Access requests have similarly been limited.

The contrast with Apple's App Tracking Transparency (ATT) rollout is telling. ATT gave users a privacy-protective default by actively prompting them to decide whether apps could track them, and more than 80 percent of users declined tracking. The CCPA, by contrast, requires consumers to take affirmative steps to protect their rights — and most people's default behavior works against them in that framing. The lesson is an important one for policy design: rights-based frameworks that require active consumer participation often underdeliver relative to privacy-protective defaults.

The Shift Toward Privacy-Preserving Advertising

One notable industry effect of the CCPA was that many companies chose not to sell consumer data at all in the early days of the law, in large part due to concerns about the optics of displaying a "Do Not Sell My Personal Information" button on their website. Beyond that, privacy-preserving advertising has grown steadily as new solutions have captured market share from traditional data-sale models.

This trend reflects something deeper than legal compliance: organizations are increasingly recognizing that data privacy practices carry reputational and commercial implications, not just regulatory ones.

Is Compliance Actually Driving Organizational Change?

Evidence suggests it is. The IAPP-EY Annual Privacy Governance Report 2023 found that 33 percent of companies grew their privacy teams over the previous year alone. While no one disputes that fines and penalties create compliance pressure, the data suggests that the broader cultural shift toward privacy as an organizational priority is also pulling investment into this space.

The underlying conclusion is one the CPRA's drafters clearly understood: privacy protection cannot be the exclusive responsibility of the consumer. The behavior of organizations must change. Regulatory frameworks with enforcement teeth and credible penalties are one mechanism for driving that change. Building privacy-protective practices into data workflows from the outset is another.

What Should Businesses Do to Achieve CCPA and CPRA Compliance?

Compliance with the CCPA and CPRA is not a one-time project. It requires maintaining accurate records of data flows, updating privacy policies, building consumer request workflows, conducting vendor due diligence, and ensuring that data shared with third parties is covered by appropriate contractual protections.

For businesses in industries that process large volumes of sensitive personal data, such as contact centers handling customer communications or insurance companies processing claims data, the challenge of managing personal information at scale makes automated de-identification not just a convenience but a compliance necessity.

De-identification is particularly valuable because it removes personal data from the scope of the CCPA entirely, reducing both compliance burden and data breach exposure. But the quality of de-identification matters enormously: a system that misses entities or produces false positives creates its own risks. Limina's linguist-built approach to de-identification is designed to handle the complexity of real-world documents, where personal information is embedded in unstructured text, not neatly labeled in database fields.

If your organization is evaluating how to operationalize CCPA and CPRA compliance, get in touch with Limina to explore how context-aware, automated de-identification can reduce risk across your data pipelines.